KMS Monitoring Example

Use the gcloud logging metrics create command to create a counter metric that will monitor any occurrence of the scheduled destruction of a key version.

gcloud logging metrics create key_version_destruction \
  --description "Key version scheduled for destruction" \
  --log-filter "resource.type=cloudkms_cryptokeyversion \
  AND protoPayload.methodName=DestroyCryptoKeyVersion"

KMS Alerting Example

The alert configured below will be triggered each time a key version has been scheduled for destruction. Note that the alert will get automatically resolved (even though the key version remains scheduled for destruction), so there will be two email notifications, one for the scheduled destruction, and one for the alert being resolved.

  1. In the Monitoring navigation pane, select notificationsAlerting and then select Create Policy.
  2. Enter a name for the alerting policy.
  3. Click Add Condition:
  4. The settings in the Target pane specify the resource and metric to be monitored. Click the text box to enable a menu and then select logging/user/key_version_destruction. Leave the resource name empty.
  5. The settings in the Configuration pane of the alerting policy determine when the alert is triggered. Complete this pane with the settings in the following table.
  6. Conditions pane
    Field
    ValueCondition triggers ifAny time series violatesConditionis aboveThreshold0Formost recent value
  7. Click Add.
  9. (Optional) Click Add Notification Channel and enter your notification channel information.
  10. Save





Need an experienced Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.

Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.